Merge pull request #1060 from munnerz/orders-events

Add more Events to Orders and Challenges
2018-11-26 17:28:33 +00:00 · 2018-11-26 17:28:33 +00:00 · e0691e5827
commit e0691e5827
parent e2c71e0876 8f3589e59a
5 changed files with 29 additions and 7 deletions
--- a/pkg/controller/acmechallenges/scheduler/BUILD.bazel
+++ b/pkg/controller/acmechallenges/scheduler/BUILD.bazel
@ -15,6 +15,7 @@ go_library(
        "//pkg/controller:go_default_library",
        "//pkg/util:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
--- a/pkg/controller/acmechallenges/scheduler/sync.go
+++ b/pkg/controller/acmechallenges/scheduler/sync.go
@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"

+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"

@ -78,11 +79,13 @@ func (c *Controller) Sync(ctx context.Context, ch *cmapi.Challenge) error {
 	// if there are no 'conflicts' detected above, then we can mark this challenge
 	// as processing.
 	ch.Status.Processing = true
-	_, err = c.CMClient.CertmanagerV1alpha1().Challenges(ch.Namespace).Update(ch)
+	ch, err = c.CMClient.CertmanagerV1alpha1().Challenges(ch.Namespace).Update(ch)
 	if err != nil {
 		return err
 	}

+	c.Recorder.Event(ch, corev1.EventTypeNormal, "Started", "Challenge scheduled for processing")
+
 	// we ignore the return value from waitForCacheSync - if it is false, the
 	// controller will shutdown anyway.
 	_ = c.waitForCacheSync()
--- a/pkg/controller/acmeorders/BUILD.bazel
+++ b/pkg/controller/acmeorders/BUILD.bazel
@ -18,6 +18,7 @@ go_library(
        "//pkg/util:go_default_library",
        "//third_party/crypto/acme:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
--- a/pkg/controller/acmeorders/sync.go
+++ b/pkg/controller/acmeorders/sync.go
@ -21,6 +21,7 @@ import (
 	"fmt"
 	"reflect"

+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/selection"
@ -210,6 +211,12 @@ func (c *Controller) Sync(ctx context.Context, o *cmapi.Order) (err error) {
 			continue
 		}

+		domainName := spec.DNSName
+		if spec.Wildcard {
+			domainName = "*." + domainName
+		}
+		c.Recorder.Eventf(ch, corev1.EventTypeNormal, "Created", "Created Challenge resource %q for domain %q", ch.Name, ch.Spec.DNSName)
+
 		existingChallenges = append(existingChallenges, ch)
 	}

--- a/pkg/issuer/acme/issue.go
+++ b/pkg/issuer/acme/issue.go
@ -61,6 +61,7 @@ func (a *Acme) Issue(ctx context.Context, crt *v1alpha1.Certificate) (issuer.Iss
 		// If we have generated a new private key, we return here to ensure we
 		// successfully persist the key before creating any CSRs with it.
 		glog.V(4).Infof("Storing new certificate private key for %s/%s", crt.Namespace, crt.Name)
+		a.Recorder.Eventf(crt, corev1.EventTypeNormal, "Generated", "Generated new private key")

 		keyPem, err := pki.EncodePrivateKey(key)
 		if err != nil {
@ -119,13 +120,14 @@ func (a *Acme) Issue(ctx context.Context, crt *v1alpha1.Certificate) (issuer.Iss
 		return issuer.IssueResponse{}, err
 	}
 	if !validForKey {
-		glog.V(4).Infof("CSR on existing order resource does not match certificate %s/%s private key. Creating new order.", crt.Namespace, crt.Name)
+		glog.V(4).Infof("CSR on existing order resource does not match certificate %s/%s private key", crt.Namespace, crt.Name)
 		return a.retryOrder(crt, existingOrder)
 	}

 	// If the existing order has expired, we should create a new one
 	// TODO: implement setting this order state in the acmeorders controller
 	if existingOrder.Status.State == v1alpha1.Expired {
+		a.Recorder.Eventf(crt, corev1.EventTypeNormal, "OrderExpired", "Existing certificate for Order %q expired", existingOrder.Name)
 		return a.retryOrder(crt, existingOrder)
 	}

@ -156,6 +158,8 @@ func (a *Acme) Issue(ctx context.Context, crt *v1alpha1.Certificate) (issuer.Iss
 		return issuer.IssueResponse{}, nil
 	}

+	a.Recorder.Eventf(crt, corev1.EventTypeNormal, "Order %q completed successfully", existingOrder.Name)
+
 	// If the order is valid, we can attempt to retrieve the Certificate.
 	// First obtain an ACME client to make this easier.
 	cl, err := a.helper.ClientForIssuer(a.issuer)
@ -163,16 +167,19 @@ func (a *Acme) Issue(ctx context.Context, crt *v1alpha1.Certificate) (issuer.Iss
 		return issuer.IssueResponse{}, err
 	}

-	// We check the current Order's Certificate resource to see if it's nearing expiry.
-	// If it is, this implies that it is an old order that is now out of date.
+	// Check the current Order's Certificate resource to see if it's nearing expiry.
+	// If it is, this implies that it is an old order that is now out of date so
+	// we retry the order.
 	certSlice, err := cl.GetCertificate(ctx, existingOrder.Status.CertificateURL)
 	if err != nil {
-		// TODO: parse returned ACME error and potentially re-create order.
+		a.Recorder.Eventf(crt, corev1.EventTypeWarning, "Failed to retrieve Certificate for Order %q (%s): %v", existingOrder.Name, existingOrder.Status.CertificateURL, err)
 		return issuer.IssueResponse{}, err
 	}

+	// TODO: retry the order?
+	// this is a weird error we'd not expect to see
 	if len(certSlice) == 0 {
-		// TODO: parse returned ACME error and potentially re-create order.
+		a.Recorder.Eventf(crt, corev1.EventTypeWarning, "BadCertificate", "Empty certificate data retrieved from ACME server")
 		return issuer.IssueResponse{}, fmt.Errorf("invalid certificate returned from acme server")
 	}

@ -182,6 +189,8 @@ func (a *Acme) Issue(ctx context.Context, crt *v1alpha1.Certificate) (issuer.Iss
 		return a.retryOrder(crt, existingOrder)
 	}

+	// Check if the currently available Certificate from the Order is up to date.
+	// This may not be the case at renewal time if the old order is still available.
 	if a.Context.IssuerOptions.CertificateNeedsRenew(x509Cert, crt.Spec.RenewBefore) {
 		// existing order's certificate is near expiry
 		return a.retryOrder(crt, existingOrder)
@ -302,11 +311,12 @@ func (a *Acme) createNewOrder(crt *v1alpha1.Certificate, template *v1alpha1.Orde
 	// set the CSR field on the order to be created
 	template.Spec.CSR = csrBytes

-	_, err = a.CMClient.CertmanagerV1alpha1().Orders(template.Namespace).Create(template)
+	o, err := a.CMClient.CertmanagerV1alpha1().Orders(template.Namespace).Create(template)
 	if err != nil {
 		return err
 	}

+	a.Recorder.Eventf(crt, corev1.EventTypeNormal, "OrderCreated", "Create Order resource %q", o.Name)
 	glog.V(4).Infof("Created new Order resource named %q for Certificate %s/%s", template.Name, crt.Namespace, crt.Name)

 	return nil